Role in IT decision-making process:Align Business & IT GoalsCreate IT StrategyDetermine IT NeedsManage Vendor RelationshipsEvaluate/Specify Brands or VendorsOther RoleAuthorize PurchasesNot Involved

Work Phone:

Company:

Company Size:

Industry:

Street Address

City:

Zip/postal code

State/Province:

Country:

Occasionally, we send subscribers special offers from select partners. Would you like to receive these special partner offers via e-mail?YesNo

Your registration with Eweek will include the following free email newsletter(s):News & Views

By submitting your wireless number, you agree that eWEEK, its related properties, and vendor partners providing content you view may contact you using contact center technology. Your consent is not required to view content or use site features.

By clicking on the "Register" button below, I agree that I have carefully read the Terms of Service and the Privacy Policy and I agree to be legally bound by all such terms.

WEBINAR:On-Demand

Oracle has released its January Critical Patch Update, fixing 237 vulnerabilities across the company's product portfolio. The update, released on Jan. 16, comes as cryptocurrency miner attackers take aim at vulnerabilities that Oracle patched in its October 2017 CPU.

The January 2018 CPU addresses myriad security vulnerabilities, including ones affecting database, middleware, Java, PeopleSoft, Siebel and E-Business Suite applications. Of particular note, Oracle's January CPU includes patches for the Meltdown (CVE-2017-5754) and Spectre (CVE-2017-5753 and CVE-2017-5715) processor vulnerabilities that were disclosed on Jan. 3.

Other issues patched by Oracle in the January CPU include a pair of critical vulnerabilities (CVE-2018-2655 and CVE-2018-2656) in the Oracle E-Business Suite (EBS) that were reported by security firm Onapsis. The EBS flaws are remotely exploitable without the need for user authentication. According to Onapsis, an attacker could execute an arbitrary query in the database to get or modify private information.

Further reading

"We discovered these bugs doing research during a security assessment in one of our customers," Sebastian Bortnik, head of research at Onapsis, told eWEEK. "We reported the vulnerabilities in mid-2017."

Onapsis also reported that a previously patched EBS flaw is vulnerable to a cryptocurrency miner exploit that has already been attacking PeopleSoft deployments. On Jan. 8, ISC SANS reported that attackers were exploiting the CVE-2017-10271 vulnerability, which enables unauthenticated access to a WebLogic Server. According to ISC SANS, the attackers were able to get a cryptocurrency miner running on PeopleSoft servers, which include WebLogic, to mine approximately $250,000 in Monero cryptocurrency. Bortnik noted that the CVE-2017-10271 vulnerability was patched in October 2017.

"Oracle continues to periodically receive reports of attempts to maliciously exploit vulnerabilities for which Oracle has already released fixes," Oracle warned in its January CPU advisory. "In some instances, it has been reported that attackers have been successful because targeted customers had failed to apply available Oracle patches."

According to Bortnik, it's also possible that flaws that were patched in the January CPU could be also used for unauthorized cryptocurrency mining attacks. Any bug that enables code execution could be potentially used in a cryptocurrency miner attack, he said. Cryptocurrency attacks against Oracle applications are relatively uncommon and are a new phenomenon, Bortnik added.

"Attacks against business-critical applications are usually more targeted attacks and less frequent than attacks that make the press," Bortnik said. "We have worked in the past with companies that have suffered an attack but still haven't seen one affected to date with cryptocurrency."

Java

As part of the January CPU, Oracle also patched 21 security vulnerabilities in Java, of which 18 are remotely exploitable without authentication.

Among the remotely exploitable issues are a pair of deserialization flaws that were discovered by security firm Waratek. Serialization is the process by which a data object is converted from an object to a series of bytes that can be stored and communicated.

"Waratek researched the JRE (Java Runtime Environment) codebase and has identified two new unbounded memory allocation vulnerabilities in two JRE subcomponents that may be remotely exploitable without authentication," Waratek stated in an advisory released Jan. 18.

Waratek noted that Oracle has patched Java serialization methods for multiple vulnerabilities over the course of 2017 and introduced a new serialization filtering mechanism to help mitigate risks.

"Oracle has tried to address deserialization, which is notoriously difficult to address, over the past year," James Lee, executive vice president at Waratek, told eWEEK. "It has remained difficult to fix, and this CPU proves that deserialization remains a serious issue."

Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

By submitting your information, you agree that eweek.com may send you eWEEK offers via email, phone and text message, as well as email offers about other products and services that eWEEK believes may be of interest to you. eWEEK will process your information in accordance with the Quinstreet Privacy Policy.

We ran into a problem

We already have your email address on file. Please use the "Forgot your password?" link to create a password, validate your email and login.